Metasploit Framework

The result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.

MITRE ATT&CK Mapping Technique ID Evidence Command and Scripting Interpreter: Unix Shell T1059.004 Extensive bash usage for tool installation, payload generation

The result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.

A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.

The result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.

By leveraging misconfigurations in ADCS implementations, threat actors are able to escalate their privileges and impersonate high-value domain accounts, up to and including domain admins, possibly leading to full domain compromise.

Generate a 32 bit raw shellcode in whatever framework you want... Run: cat payload.bin | base64 -w 0 ... Copy the base64 encoded payload into the code variable below

A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.

The result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.

Through these techniques, threat actors abuse certificate templates which don’t require manager approval and include enrollment rights for low privileged users / groups.

It can be used to detect misconfigurations, but also to issue certificates utilizing a large range of escalation techniques and leveraging them for domain authentication.

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.